As 2024 comes to a close, it’s traditional to reflect on the and maybe catch up on bits of reading and events that we missed throughout the year because of our busy schedules. To this end, I recommend to you three of this year’s Waterfall webinars, each an overview of Waterfall or other authors’ reports that read faster when we’ve seen an overview, so each of us can skip faster to the material we find most potentially useful.

Over the past 12 months, it has been a pleasure and a privilege to co-host the Industrial Security Podcast. When I started the podcast 5-ish years ago, bluntly, I did not know if there was enough industrial security content in the world for more than a year or two of episodes. It turns out the OT security space is much broader and deeper than I knew, and I’ve both learned something in every episode and become aware of how much more that I don’t know that every one of my guests do know and give us a few insights based on that knowledge in every episode.

Choosing three from this year’s episodes was hard, but here are three that stood out for me. If you ask me for a theme for these episodes, I’d have to say all three provide insights into high-consequence attacks, risk blind spots, and of course defenses against these attacks. This is all consistent with the perspective of the Cyber-Informed Engineering initiative and with the themes I explore in my latest book, Engineering-Grade OT Security: A Manager’s Guide.

I hope you enjoy listening to these podcasts as much as I enjoyed the interviews and discussions. And stay tuned, we are working on many more guests and discussions in 2025!

I was asked to put a few words together about my favorite Industrial Security Podcast episodes of all time. I scanned the complete list at https://waterfall-security.com/podcast and came up with these five. The first four were episodes that contributed materially my thinking & the formation of sections and chapters in my latest “gold” book Engineering-Grade OT Security: A manager’s guide.

The fifth didn’t really fit the gold book, but I’m mulling the episode over for possible inclusion in my next book, if there is one. The gold book was all about risk in the context of individual organizations. For the future, I’m wondering if the world needs a bigger picture book of where OT cyber risk fits into the context of “all risks” that modern societies face, from nuclear war and EMPs to massive solar storms and global warming. I dunno for sure, please let me know what you think. 

Moments after the discovery of a ransomware attack on the IT network of the North American Colonial Pipeline, company management responded with shutting down all physical operations out of “an abundance of caution”. As a result of this shutdown, Colonial lost 6 days of operation at 2.5 million barrels per day and paid nearly $5 million in ransom payment. The precautionary shutting down of operations reflected a degree of uncertainty in the cybersecurity controls in place at the time protecting the OT network from cyber attacks propagating through the IT network. The US Transportation Security Administration (TSA) responded by releasing a series of security directives following this event, with a common thread repeated through the series of directives: implement a cyber defense strong enough that, if the IT network is compromised, the OT network can continue operating at necessary capacity. The Colonial attack represents the present-day OT cyber risk scenario that industrial enterprises can no longer avoid; OT networks must be sufficiently protected from attacks arriving via more-exposed or less-consequential networks.

Designing a strong defensive posture to minimize OT cyber risk is a multi-step process, and one of the first places to start is by taking a thorough inventory, not only of industrial and cyber assets, but also of data flows and interdependencies. Physical assets and operations are what we need to protect, but data flows can be the means through which cyber sabotage attacks travel, and interdependencies must be discovered and understood as they complicate the task of how and what we need to protect. Let’s look at each of these in more detail.